Policy | Security | Investigation

text message subpoena

February 03, 2010

Many enterprises and professionals are using Twitter* for official business. One local government example is the City of Raleigh, North Carolina. The Raleigh municipal government appears to be using Twitter to broadcast public service messages.

For legal purposes, many professionals and enterprises are wise to archive some or all of their Twitter (or Foursquare) communications. Records may be needed for such purposes as subpoenas, e-discovery (EDD), public records law and the like.

How does one record Twitter for long-term storage? In practice it is difficult for an enterprise (or an individual professional) to manage electronic records –-Twitter or otherwise -- for long periods of time. This difficulty motivates records managers to focus their attention and resources.

I argue that electronic mail should normally be the cornerstone for archiving electronic business records. My feeling is that e-mail is the first digital place the legal system expects to find important records. When records managers tackle electronic records, e-mail is the logical first place for to focus attention and resources. Every business person has an e-mail account, through which he or she exchanges important messages.

Thus, as a business professional adopts social media like Twitter and Facebook for serious communications, a practical approach to archiving those communications is to capture them in the professional's email account. Services like Twitter and Facebook come and go. They are hot this year, but something else may replace them next year. The professional's email account, however, is fairly permanent and stable. The email account is the unified, timeless place to store all important communications.

I've previously suggested how to use a business email account to capture Facebook messages. Native Facebook provides tools for exchanging many kinds of FB messages via email.

I've looked for similar tools at Twitter.com. However, native Twitter does not appear to support email as much as FB does. Instead, Twitter supports SMS*. SMS is normally associated with cell phones.

Twitter's support for SMS gives me ideas for simple record-keeping. It is relatively easy to integrate SMS with email for the purpose of capturing messages in an e-mail account. I offer some simple examples here. I'll bet even better ways exist.

For some professionals, the easiest way to submit a tweet* to Twitter via SMS, while also saving a copy in a business email account, is with a cell phone. Many cell phone services such as Sprint allow the user to send an SMS message to a mobile number (such as the mobile number that Twitter supports) and, at the same time, to an e-mail address. Accordingly, a user could use SMS on his Sprint phone to send a tweet to Twitter, with a copy to his business e-mail account, where it can be archived like all his other email.

In the alternative, the professional can subscribe to a paid service like ipipi.com to act as a gateway between email and SMS.

If the professional uses Microsoft Outlook for e-mail, she could exchange SMS message from her email client using the Outlook Mobile Service. The service works via an SMS account with a provider like your cell phone carrier, and thus might involve special charges. Using the Outlook Mobile Service, the user could send an SMS tweet to Twitter, and her Outlook account would keep a record just as it normally would keep a record of an outgoing email.

Here is a screenshot of a tweet sent from a Sprint phone.

What do you think of these ideas, Gentle Reader?

Update: Apparently there is a twitter gadget for gmail that will store your tweets in gmail so they can be archived like email.

Another update: Apparently Twitter, and search engines that search Twitter, lose much of the tweet conversation quickly. Although Twitter keeps tweets indefinitely, it is unable to search for features like hashtags, which organize ongoing conversations, such as #iranelection. Similarly, LinkedIn seems not to display public conversations more than a couple of weeks.

Third update: The Broward County Sheriff's Department has created its own Twitter-like service, called CyberVisor, to broadcast messages about crimes and emergencies as they develop. Presumably the Sheriff's Department can control and record this service better than something on Twitter.

* What is Twitter? Twitter is a popular social media service that allows users to broadcast and read short messages. The little messages are normally stored on Twitter’s web site (in the form of a so-called micro-blog), and are often transmitted to other places such as cell phones and widgets on other web pages.

* What is SMS? SMS means short message service. It is best known as the standard for exchanging text messages among cellular and mobile phones.

* What is a tweet? A tweet is a short text message, no more than 140 characters, broadcast or micro-blogged from a user's account in Twitter.

But often the party that receives (or seizes) the records should be expected to safeguard them after they arrive.

Laws requiring the safeguarding of records are many and diverse. One small example: As a business discloses information to the federal government, it can (if justified) tag or annotate the information as a “trade secret.” By so doing, the business warns government employees that they violate federal law (18 U.S.C. Section 1905) if they abuse the trade secret, such as disclose it to a competitor or to the news media.

Legally speaking, the tagging or annotating of records can be strategically powerful. But when a large quantity of e-records (SMS, chat, e-mail, Web 2.0, iPhone, BlackBerry) is involved, manual annotation is laborious and expensive.

When records like instant messages are disclosed under law, it is becoming more common that they be disclosed in an electronic format that supports annotations, such as XML.

Electronic annotation (commenting) enables highly granular, specifically-targeted legal notices. Targeted annotation can give the producing party an advantage. The advantage is more apparent when large numbers of record are at issue and different records require different notices.

By long-standing practice, lawyers often mark disclosed records with warnings or reservations of rights. But historically these notices were expressed as general, blanket statements in transmittal letters. (See footnote.)

When numerous records are involved, blanket statements may not be as effective as specific, record-by-record annotations. Suppose for example that five million email records are being produced. Within those records are, say, 2137 that contain personally identifiable information (PII), which the producing party is obligated to safeguard. The producing party may better fulfill its obligation by specifically annotating each of the 2137 with strong warnings, rather than with general notices covering the whole five million. (Example: “WARNING: This email may contain private data protected by law. Access on need-to-know basis only.”)

Specific annotations can include any of a range of legal statements: disclaimers, instructions, interpretations, cross references, self-serving language, reservations of rights, claims of privacy, contractual terms of use, designation as attorney work product and more.

According to Ranjit Sarai, e-discovery consultant at Messaging Architects, “Annotations can involve advanced services in e-record production. Manual annotation of individual records can be very time consuming. But we can recommend or develop routines for identifying relevant records and placing the prescribed annotations on them. We can facilitate collaborative, team annotations. We can also help bring the appropriate attention to annotations. Some annotations should be understated. Others should scream out in blinking neon lights.”

Update: Tags and annotations can be inserted according to varying degrees of granularity, whether record-by-record, word-by-word, or something else. US intelligence agencies are managing massive databases on terrorists by tagging each word, one-by-one. A tag can show, for example, the level of security clearance an analyst needs in order to see the word. Advanced search software can prevent an analyst from seeing information for which he does not have adequate clearance, while alerting him that the database may contain additional information relevant to his inquiry, access to which will require higher authority. Siobhan Gorman, "How a Team of Geeks Cracked Spy Trade," Wall St. J., 4 Sept. 09.

Footnote: A case known as Teachers Insurance(1) suggested that when a company discloses information to the Securities and Exchange Commission, it waives attorney-client privilege on that information, unless it explicitly reserves its privilege rights. Applying that idea, a company in another case(2) attempted to make such a reservation of rights in the transmittal letter sent with documents disclosed to the SEC.

IT Administrators

Twitter

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.